b'                    NATIONAL ENDOWMENT FOR THE ARTS\n                    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     EVALUATION REPORT\n\n                FISCAL YEAR 2007 EVALUATION\n\n              NEA\xe2\x80\x99S COMPLIANCE WITH THE\n            FEDERAL INFORMATION SECURITY\n               MANAGEMENT ACT OF 2002\n\n\n                               REPORT NO. R-08-01\n                                OCTOBER 22, 2007\n\n\n\n\n                           REPORT RELEASE RESTRICTION\nThis report may not be released to anyone outside of the National Endowment for the Arts (NEA)\nwithout the approval of the NEA Office of Inspector General.\n\nInformation contained in this report may be confidential. The restrictions of 18 USC 1905 should be\nconsidered before this information is released to the public.\n\nFurthermore, information contained in this report should not be used for purposes other than those\nintended without prior consultation with the NEA Office of Inspector General regarding its\napplicability.\n\x0c                               INTRODUCTION\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x9fs information security programs and practices.\nThis report is an evaluation of NEA\xe2\x80\x9fs information security program and practices for\nprotecting its information\ntechnology (IT) infrastructure.\n\n\n                                BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into\nlaw on November 27, 2002. It replaced the Government Information Security Reform\nAct (GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n       Periodic risk assessments;\n       Policies and procedures that are based on risk assessments;\n       Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n       Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n       Periodic testing and evaluation of the effectiveness of information security\n       policies;\n       A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n       Procedures for detecting, reporting, and responding to security incidents; and\n       Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x9fs\n       information systems.\n\n\nOffice of Management and Budget (OMB) Memorandum M-07-19, dated July 25, 2007,\nentitled \xe2\x80\x9cFY 2007 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d updates instructions to Senior\nAgency Officials for Privacy, Chief Information Officers and Inspectors General for\nreporting their 2007 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including An Introduction to Computer Security: The NIST Handbook. This\npublication explains important concepts, cost considerations, and interrelationships of\nsecurity controls as well as the benefits of such controls. NIST also has published a\n\n                                            1\n\x0cGuide for Developing Security Plans for Information Technology Systems. In addition,\nguidance is found in the Government Accountability Office publication, Federal\nInformation System Controls Audit Manual (FISCAM). NIST has also issued Special\nPublication 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems; Special Publication 800-53, Recommended Security Controls for\nFederal Information Systems; and FIPS PUB 199, Standards for Security Categorization\nof Federal Information and Information Systems.\n\nNEA\xe2\x80\x9fs Office of Information and Technology Management (ITM) maintains and\noperates two of three core systems on a local area network (LAN). These are the Grants\nManagement System (GMS), which contains information on grant applications and the\nAutomated Panel Bank System (APBS), which contains information on panelists who\nreview grant applications. NEA has contracted with the Department of Transportation\nEnterprise Service Center to host NEA\xe2\x80\x9fs Financial Management System (FMS) through\nits Delphi Financial Management System. In addition, NEA operates support systems\nincluding electronic mail, and internet and intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x9fs computer and data networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x9fs information\ntechnology (IT) security program and practices. This included a review of NEA\xe2\x80\x9fs IT\nsecurity policies and procedures, interviews with responsible agency officials managing\nthe IT systems, and tests on the effectiveness of security controls.\n\n\n                            PRIOR EVALUATION\nThe NEA Office of Inspector General issued a report entitled \xe2\x80\x9cFiscal Year 2006\nEvaluation of NEA\xe2\x80\x9fs Compliance with the Federal Information Security Act of 2002\xe2\x80\x9d\n(Report No. R-06-02) dated September 21, 2006. The report had eight recommendations,\nall of which have been resolved. It is noted that there was a recommendation that NEA\nIT conduct an e-authentication risk assessment as required by OMB. It was subsequently\ndetermined that NEA systems did not meet the necessary requirements for an\ne-authentication risk assessment to be conducted. Therefore, the recommendation was\nconsidered to be resolved.\n\n\n\n                         EVALUATION RESULTS\nOur current evaluation determined that there are several issues that need to be addressed\nby NEA\xe2\x80\x9fs Information and Technology Management Division. These include issues\n                                            2\n\x0crelated to e-authentication risk assessment, updating the Security and Disaster Recovery\nPlans, and implementing procedures related to security awareness training, inventory, and\nchange management. Details are presented in the following narrative.\n\n\nRisk Assessment\n\nSeNet International Corporation performed the last risk assessment, the results of which\nwere issued on August 26, 2005. The review concluded, \xe2\x80\x9cThe implementation and\nmanagement of the security architecture supporting the National Endowment for the Arts\nenterprise network appears to require strengthening in order to more effectively restrict\nunauthorized internal access to information resources.\xe2\x80\x9d\n\nThe review cited the following weaknesses at the time of their review:\n\n         Systems were discovered that did not have the latest security patches,\n         Systems were discovered running unnecessary or potentially vulnerable services,\n         Weak passwords were identified, and\n         Open shares were discovered where potentially sensitive information could be\n         discovered.\n\nNEA ITM has addressed these weaknesses in its \xe2\x80\x9cThe Security Audit Action Plan\xe2\x80\x9d in\nresponse to the risk assessment. The only vulnerability remaining for corrective action\nrelated to systems that were discovered running unnecessary or potentially vulnerable\nservices. The solution was to replace the Windows 2000 Servers with Windows 2003\nServers. These new Windows 2003 Servers were installed by December 31, 2005.\n\n                E-Authentication Risk Assessment. OMB Memorandum 04-04 issued\nDecember 16, 2003, directed \xe2\x80\x9cagencies to conduct \xe2\x80\x9ee-authentication risk assessments\xe2\x80\x9f on\nelectronic transactions to ensure that there is a consistent approach across government.\xe2\x80\x9d\nThe guidance applies to \xe2\x80\x9cremote authentication of human users of Federal agency IT\nsystems for the purposes of conducting government business electronically (or e-\ngovernment).\xe2\x80\x9d\n\nThe 2007 FISMA guidance issued by OMB asks Inspectors General to determine whether\nsuch an assessment was conducted. No such assessment was conducted. NEA IT\ndetermined that NEA systems did not meet the necessary requirements to conduct an\ne-authentication risk assessment. Since NEA systems are not internet-based, are not\navailable to users outside of the agencies firewall, and do not require authentication from\nusers on the outside. As such, we agreed that NEA ITM was not required to perform the\ne-authentication risk assessment.\n\n\n\n\n                                            3\n\x0cNIST Self-Assessment\nITM conducted its 2007 self-assessment using the controls found in the National Institute\nof Standards and Technology (NIST) Special Publication 800-53, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems.\xe2\x80\x9d The primary issues identified in this\nassessment included the lack of written policies regarding remote access monitoring,\nportable and mobile devices, media protection, risk assessment, and system and service\nacquisition. Weaknesses identified in this self-assessment should be included in NEA\xe2\x80\x9fs\nPlans of Action and Milestones (POA&Ms), which is updated quarterly and submitted to\nthe Office of Management and Budget.\n\n\nSecurity Plan\nNEA issued its security plan for each of its in-house GMS and APBS systems that\naddress FISMA and OMB requirements in September 2004. The development of\nsecurity plans are an important activity in an agency\xe2\x80\x9fs information security system that\ndirectly supports the security accreditation process required under FISMA and OMB\nCircular A-130. Security plans should ensure that adequate security is provided for all\nagency information collected, processed, stored, or disseminated in NEA\xe2\x80\x9fs general\nsupport systems and major applications. It is noted that there has been changes to the\nNEA Network. The last update for the NEA Network that is included in the Security\nPlan is dated June 2007.\n\n        Security Certification and Accreditation. As noted previously, NEA hosts both\nthe GMS and APBS, both of which were certified and accredited on September 26, 2004.\nThe FMS is contracted to the Department of Transportation Enterprise Service Center.\nThe 2005 SeNet Report noted that three major systems were identified and granted the\nAuthority to Operate in November 2004. In their review of the Certification and\nAccreditation (C & A) documentation, they stated, \xe2\x80\x9cit appears that the process that was\nused to perform the C & A does not meet established best practices or federal guidelines.\n\nAs a result, ITM took appropriate action and in March 2006, ITM recertified that that the\nLocal Area Network (LAN), and all Information Systems (GMS - Grants Management\nSystem, Delphi \xe2\x80\x93 Financial Management System, and APBS \xe2\x80\x93 Automated Panel Bank\nSystem) have the appropriate safeguards in place and the data processed is secure. NEA\nimplemented a single site certification program and accreditation program using the\nFederal Information Security Act of 2002, Public Law 107-347, OMB Circular A-130,\nand NIST 800-37 as the implementation guidance for its development. This accreditation\nis valid until March 2009.\n\n\n\n\n                                            4\n\x0cDisaster Recovery Plan\nNEA has documented its disaster recovery plan (July 2002). The recovery plan provides\nthat:\n\n       NEA will maintain an alternate e-mail address resident on a server outside of the\n       NEA facilities to support emergency communications.\n\n       An Emergency Recovery Server will be maintained within the building, but in a\n       physical location distant from ITM to facilitate Level One and Level Two\n       recoveries. It shall contain current software, updated nightly, that duplicates that\n       which is in use by NEA.\n\n       Standby network equipment will be maintained in a location outside of ITM to\n       restore operations.\n\n       At the end of every business day, two backup copies of all systems data will be\n       taken. One will be stored outside of the building and one will be stored within the\n       building, but outside of the Computer Center.\n\nOur prior evaluation included a recommendation that IT update the Disaster Recovery\nPlan to include changes in the handling of backup copies of systems data. A supplement\nto the Disaster Recovery Plan has been issued to include those changes.\n\n\nSecurity Training\n\nITM had previously documented a security-training plan (August 2002) for ITM staff and\ncontractors. The purpose of the plan was to ensure that NEA employees with significant\nsecurity responsibilities (1) have the most current computer security information and\n(2) have an adequate understanding of computer/IT security laws and requirements.\n\nNIST Special Publication 800-50, Building an Information Technology Security\nAwareness and Training Program and NIST Special Publication 800-16, Information\nTechnology Security Training Requirements: A Role- and Performance-Based Model,\nprovide the standards for security awareness and training. We recommended in our 2005\nevaluation that ITM implement security awareness training to all NEA employees as soon\nas possible. This training was implemented in December 2005. However, it was noted in\nour previous 2006 evaluation that ITM did not develop a system to readily identify those\nwho have taken or have not taken the training. ITM has since implemented procedures to\ndocument who has taken the training.\n\n\n\n\n                                             5\n\x0cSecurity Incidents\nNEA has formalized a \xe2\x80\x9cComputer Security Incident Policy\xe2\x80\x9d (Revised November 2003),\nwhich (1) identifies the type of activity characterized as a computer security incident, and\n(2) defines the steps to be taken to report a computer security incident. The policy\napplies to all permanent and temporary employees, including contractors who utilize\nNEA\xe2\x80\x9fs computer equipment and systems.\nIt is generally known that security incidents have become more frequent whether they are\ncaused by viruses, hackers, or software bugs. Appendix III to OMB Circular A-130\nstates:\n\n       When faced with a security incident, an agency should be able to respond in a\n       manner that both protects its own information and helps to protect the information\n       of others who might be affected by the incident. To address this concern, agencies\n       should establish formal incident response mechanisms. Awareness and training for\n       individuals with access to the system should include how to use the system\xe2\x80\x99s incident\n       response capability.\n\n\nAny NEA computer security incidents are handled by ITM\xe2\x80\x9fs Computer Security Incident\nTeam (CSIT), which consists of two employees from ITM\xe2\x80\x9fs Customer Services Division\nand two employees from ITM\xe2\x80\x9fs Plans, Policy and Programs Division. One employee,\nwho is designated as the CSIT coordinator, serves as the team\xe2\x80\x9fs central resource for\nmonitoring computer security incidents.\n\nNEA\xe2\x80\x9fs policy states, \xe2\x80\x9cAny employee or contractor who has knowledge of a computer\nsecurity incident should report the incident to the CSIT Coordinator via e-mail (or phone\nif e-mail is not available).\xe2\x80\x9d\n\nOur 2003 evaluation recommended that NEA revise its computer incident security policy\nto reflect FedCIRC timeframe requirements for security incident reporting. A revised\ncomputer incident policy was issued in November 2003 and established timeframes for\nreporting security incidents to FedCirc.\n\nDespite numerous attempts to intrude NEA systems during the past year, there were no\nsuccessful incidents referred by employees to NEA ITM officials within the context of\nNEA\xe2\x80\x9fs Computer Security Incident Policy.\n\n\nAccess Controls\n\nITM developed and implemented an \xe2\x80\x9cAccess Control Policy\xe2\x80\x9d in December 2001 that\nestablished procedures for removing terminating employees\xe2\x80\x9f user IDs and passwords for\nthe LAN, e-mail and mission critical systems. ITM also developed and implemented\nprocedures applicable to employees terminating their NEA employment that specifically\nnote the steps required to clear applicable user IDs and passwords.\n\n\n                                                6\n\x0cNIST recommends periodic reviews of user account information for managing user\naccess. NEA does have controls in place that requires LAN users to change their\npasswords every 60 days and ensures that intruders (those who make numerous attempts\nto access the LAN) are locked out of the system after four attempts to log in with an\ninvalid password.\n\nOur 2002 evaluation noted that ITM was not always notified when school interns leave\nNEA. These are students who work during the summer or break periods, but are not paid\nby NEA. Since NEA does not pay the interns, there was no means to ensure that exit\nclearance procedures were followed (such as withholding their final pay). In addition,\nthe supervisors of these interns were not always informing ITM of their departure\nbecause there was no requirement for such. Thus, these interns could potentially\ncontinue to access and use the e-mail system from an alternate location for unauthorized\npurposes. As a result, NEA instituted new sign-out procedures for interns, temporary\ncontractors and volunteers. However, our 2003 evaluation found that ITM was still not\nbeing informed timely about such individuals. Although ITM has requested departure\ndates from the Human Resources Division for these temporary employees, the dates were\nnot always provided. We recommended that ITM not initiate computer or e-mail access\nunless a departure date is provided.\n\nAs a result, the \xe2\x80\x9cAccess Control Policy\xe2\x80\x9d was revised in November 2003 to include that\n\xe2\x80\x9cbefore computer access can be granted to temporary employees/contractors, the Human\nResources Division must inform ITM of the anticipated end dates for these individuals\xe2\x80\x9f\nassignments in order to ensure that their access rights are removed at the appropriate\ntime.\xe2\x80\x9d The August 2005 SeNet report noted that weak passwords were identified and, as\na result, NEA ITM implemented a new stronger password policy, which was formally\nissued in March 2006. This password policy continues to be followed.\n\n\nPhysical Controls\n\nNEA appears to have adequate physical controls to protect its IT inventories and supplies.\nThe facilities are protected by fire alarms and sprinkler systems. Access to NEA\xe2\x80\x9fs space\nin the building is controlled by guards who require proper identification for entry.\nDuring nonworking hours, sign-in and sign-out procedures are in effect. The computer\ndata room has cipher locks to restricted areas and this entire area is always secured and\nlocked.\n\nIf NEA contracts for IT services that requires access to its computer data room, the access\ncode (via a cipher lock) that is used by the contractor is different from the code used by\nNEA ITM employees. In addition, the contractor\xe2\x80\x9fs access code is changed whenever one\nof the contractor\xe2\x80\x9fs operators is terminated.\n\n\n\n\n                                            7\n\x0cInventory Controls\nNEA has an inventory of its hardware and has updated its listing with the last entry as of\nSeptember 20, 2007. The inventory lists each item by office, barcode number, serial\nnumber, manufacturer, model number and description, as well as the user. The inventory\nis maintained on a perpetual basis and is updated as equipment is added or deleted. It\nalso indicated the date the inventory was taken and the initials of the person who took the\ninventory.\n\n\nContractor Security\n\nNEA appears to have imposed adequate security measures on its contractors. All short-\nterm (data entry) contractors have limited computer access. That is, they do not get a full\nmenu upon login and are limited on what they can input into the system, which is\nrestricted by their user name and password. For example, they cannot access or input\ndata into any systems management function. They also do not have internet or intranet\naccess. Since the contracts are short-term, users are deleted from the system upon\ncontract termination.\n\nComputer access for a long-term contractor involved with NEA systems and the help\ndesk generally is unrestricted. However, the CIO and ITM carefully screen these\ncontractors and require background checks.\n\n\nChange Management\n\nBoth our 2003 and 2004 evaluations concluded that ITM must develop policies and\nprocedures related to change management and control for the development and\nmodification of IT systems. ITM issued a \xe2\x80\x9cChange Management Policy/Procedure\xe2\x80\x9d\neffective December 1, 2004. This policy \xe2\x80\x9cdescribes the responsibilities, policies, and\nprocedures to be followed by ITM when making changes or recording events to the\nNational Endowment for the Arts IT infrastructure.\xe2\x80\x9d It defines \xe2\x80\x9cchange\xe2\x80\x9d and \xe2\x80\x9cevent\xe2\x80\x9d as\nfollows:\n\n   Change: to transform, alter, or modify the operating environment or standard operating\n   procedures; any modification that could have potential and/or significant impact on the\n   stability and reliability of the infrastructure and impacts conducting normal business\n   operation by our users and ITM; any interruption in building environments (i.e., electrical\n   outages) that may cause disruption to the IT infrastructure.\n\n   Event: any activity outside of the normal operating procedures that could have a potential\n   and/or significant impact on the stability and reliability of the infrastructure, i.e. a request to\n   keep a system up during a normal shutdown period.\n\nThe change management process includes the submission of a change request with\nmanagement approval. During our prior evaluation, it was noted that when we requested\n\n                                                   8\n\x0ca log and/or copies of such requests, there have been none submitted. As a result, a\nrecommendation was made that IT implement procedures to ensure compliance with the\nNEA Change Management Policy. Our current evaluation noted that IT has implemented\nsuch procedures and ITM Change Management Request Forms are now maintained.\n\n\nFinancial Management System\n\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x9fs Oracle Federal Financials System, Delphi, as their financial\nmanagement system. OMB requires that such service organizations to provide client\nagencies with an independent report describing system controls. To comply with this\nrequirement, DOT OIG hired an independent contractor, Clifton Gunderson, LLP, to\nconduct a review on the computer controls over the information technology and data\nprocessing environment, as well as the input processing, and output controls built into the\nDelphi system.\n\nThe independent contractor rendered an opinion on the effectiveness of those controls for\nthe eight-month period from October 1, 2006 through May 31, 2007. The audit\nconcluded that \xe2\x80\x9cmanagement\xe2\x80\x9fs description of controls presents fairly, in all material\nrespects, the controls that have been placed in operation as of May 31, 2007. In addition,\ncontrols are suitably designed and were operating effectively on 9 of 10 control\nobjectives during the period from October 1, 2006, through May 31, 2007. The exception\nis logical access controls because management has not completed the move of the Delphi\nservers to a more secure environment.\xe2\x80\x9d\n\nNEA also uses the Department of Agriculture (USDA) National Finance Center as its\npayroll provider. The latest Statement on Auditing Standards Number 70 (SAS 70)\nReview of the Department of Agriculture Office of the Chief Financial Officer/National\nFinance Center (OCFO/NFC) issued by the USDA OIG was for fiscal year 2006. This\nreview concluded that the Department of Agriculture Office of the Chief Financial\nOfficer/National Finance Center\xe2\x80\x9fs \xe2\x80\x9cdescription of controls presented fairly, in all material\nrespects, the relevant aspects of OCFO/NFC.\xe2\x80\x9d Also, in their opinion, \xe2\x80\x9cthe controls\nincluded and/or referenced in the description, as updated, were suitably designed to\nprovide reasonable assurance that associated control objectives would be achieved if the\ndescribed policies and procedures were complied with satisfactorily and customer\nagencies applied the controls specified in the OCFO/NFC description of controls.\xe2\x80\x9d\n\nThe 2006 USDA report described \xe2\x80\x9cweaknesses in OCFO/NFC internal control policies\nand procedures that may be relevant to the internal control structure of OCFO/NFC\ncustomer agencies.\xe2\x80\x9d The report further stated that \xe2\x80\x9cOCFO/NFC reinstituted control\nactivities that were disrupted after Hurrican Katrina and updated its procedures to address\nthe control weaknesses\xe2\x80\x9d that were identified.\n\n\n\n\n                                             9\n\x0cThe 2007 USDA SAS 70 Report on the National Finance Center was not available at the\ntime of our evaluation in September 2007. We recommend that NEA ITM provide us\nwith a copy of the report as soon as it becomes available.\n\n\n                            EXIT CONFERENCE\nAn exit conference was held with NEA\xe2\x80\x9fs CIO on October 22, 2007. The CIO generally\nconcurred with our recommendations and has agreed to initiate corrective actions.\n\n\n\n\n                          RECOMMENDATIONS\nWe recommend that the NEA Office of Information and Technology Management:\n\n   1. Include corrective actions for weaknesses identified in its IT self-assessment in\n      NEA\xe2\x80\x9fs Plans of Action and Milestones (POA&Ms), which is updated quarterly\n      and submitted to the Office of Management and Budget.\n\n   2. Provide the Office of Inspector General with a copy of the 2007 Statement on\n      Auditing Standards Number 70 (SAS 70) Review of the Department of\n      Agriculture National Finance Center.\n\n\n\n\n                                           10\n\x0c'